Richard W.M. Jones
2019-Oct-20 11:06 UTC
[Libguestfs] [PATCH libnbd] api: Allow NBD URIs to be restricted.
Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now any libnbd program which takes URIs from less trusted sources will open a local file under the user's control. So it's time to restrict what can appear in URIs. I've added three new APIs for this purpose, see generator/generator in this patch for documentation. The defaults are fairly liberal, except we do prevent opening local files (except socket) by default. Rich.
Richard W.M. Jones
2019-Oct-20 11:06 UTC
[Libguestfs] [PATCH libnbd] api: Allow NBD URIs to be restricted.
New APIs are added which let you enable or disable features of NBD URIs, mainly for security reasons. tls-psk-file is *disabled* by default for obvious security reasons. All other features are enabled by default. --- generator/generator | 127 +++++++++++++++++++++++++++++++++++++++++++- lib/handle.c | 26 +++++++++ lib/internal.h | 5 ++ lib/uri.c | 31 +++++++++-- tests/connect-uri.c | 2 + 5 files changed, 186 insertions(+), 5 deletions(-) diff --git a/generator/generator b/generator/generator index 6cfe1fd..c2ff0db 100755 --- a/generator/generator +++ b/generator/generator @@ -991,7 +991,15 @@ let handshake_flags = { "NO_ZEROES", 1 lsl 1; ] } -let all_flags = [ cmd_flags; handshake_flags ] +let allow_transport_flags = { + flag_prefix = "ALLOW_TRANSPORT"; + flags = [ + "TCP", 1 lsl 0; + "UNIX", 1 lsl 1; + "VSOCK", 1 lsl 2; + ] +} +let all_flags = [ cmd_flags; handshake_flags; allow_transport_flags ] (* Calls. * @@ -1445,6 +1453,75 @@ C<\"qemu:dirty-bitmap:...\"> for qemu-nbd see_also = ["L<nbd_block_status(3)>"]; }; + "set_uri_allow_transports", { + default_call with + args = [ Flags ("mask", allow_transport_flags) ]; ret = RErr; + permitted_states = [ Created ]; + shortdesc = "set the allowed transports in NBD URIs"; + longdesc = "\ +Set which transports are allowed to appear in NBD URIs. The +default is to allow any transports. + +The C<mask> parameter may contain any of the following flags +ORed together: + +=over 4 + +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> + +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> + +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> + +=back"; + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; + }; + + "set_uri_allow_tls", { + default_call with + args = [ Enum ("tls", tls_enum) ]; ret = RErr; + permitted_states = [ Created ]; + shortdesc = "set the allowed TLS settings in NBD URIs"; + longdesc = "\ +Set which TLS settings are allowed to appear in NBD URIs. The +default is to allow either non-TLS or TLS URIs. + +The C<tls> parameter can be: + +=over 4 + +=item C<LIBNBD_TLS_DISABLE> + +TLS URIs are not permitted, ie. a URI such as C<nbds://...> +will be rejected. + +=item C<LIBNBD_TLS_ALLOW> + +This is the default. TLS may be used or not, depending on +whether the URI uses C<nbds> or C<nbd>. + +=item C<LIBNBD_TLS_REQUIRE> + +TLS URIs are required. All URIs must use C<nbs>. + +=back"; + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_transports(3)>"]; + }; + + "set_uri_allow_local_file", { + default_call with + args = [ Bool "allow" ]; ret = RErr; + permitted_states = [ Created ]; + shortdesc = "set the allowed transports in NBD URIs"; + longdesc = "\ +Allow NBD URIs to reference local files. This is I<disabled> +by default. + +Currently this setting only controls whether the C<tls-psk-file> +parameter in NBD URIs is allowed."; + see_also = ["L<nbd_connect_uri(3)>"]; + }; + "connect_uri", { default_call with args = [ String "uri" ]; ret = RErr; @@ -1539,7 +1616,50 @@ be present for the other transports. =item B<tls-psk-file=>F<PSKFILE> -Set the PSK file. See L<nbd_set_tls_psk_file(3)>. +Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note +this is not allowed by default - see next section. + +=back + +=head2 Disable URI features + +For security reasons you might want to disable certain URI +features. Pre-filtering URIs is error-prone and should not +be attempted. Instead use the libnbd APIs below to control +what can appear in URIs. Note you must call these functions +on the same handle before calling C<nbd_connect_uri> or +L<nbd_aio_connect_uri(3)>. + +=over 4 + +=item TCP, Unix domain socket or C<AF_VSOCK> transports + +Default: all allowed + +To select which transports are allowed call +L<nbd_set_uri_allow_transports(3)>. + +=item TLS + +Default: both non-TLS and TLS connections allowed + +To force TLS off or on in URIs call +L<nbd_set_uri_allow_tls(3)>. + +=item Connect to Unix domain socket in the local filesystem + +Default: allowed + +To prevent this you must disable the C<+unix> transport +using L<nbd_set_uri_allow_transports(3)>. + +=item Read from local files + +Default: denied + +To allow URIs to contain references to local files +(eg. for parameters like C<tls-psk-file>) call +L<nbd_set_uri_allow_local_file(3)>. =back @@ -2900,6 +3020,9 @@ let first_version = [ "aio_connect_socket", (1, 2); "connect_vsock", (1, 2); "aio_connect_vsock", (1, 2); + "set_uri_allow_transports", (1, 2); + "set_uri_allow_tls", (1, 2); + "set_uri_allow_local_file", (1, 2); (* These calls are proposed for a future version of libnbd, but * have not been added to any released version so far. diff --git a/lib/handle.c b/lib/handle.c index 1d4a527..cdbca86 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -64,6 +64,11 @@ nbd_create (void) h->unique = 1; h->tls_verify_peer = true; h->request_sr = true; + + h->uri_allow_transports = (uint32_t) -1; + h->uri_allow_tls = LIBNBD_TLS_ALLOW; + h->uri_allow_local_file = false; + h->gflags = (LIBNBD_HANDSHAKE_FLAG_FIXED_NEWSTYLE | LIBNBD_HANDSHAKE_FLAG_NO_ZEROES); @@ -360,3 +365,24 @@ nbd_unlocked_get_protocol (struct nbd_handle *h) return h->protocol; } + +int +nbd_unlocked_set_uri_allow_transports (struct nbd_handle *h, uint32_t mask) +{ + h->uri_allow_transports = mask; + return 0; +} + +int +nbd_unlocked_set_uri_allow_tls (struct nbd_handle *h, int tls) +{ + h->uri_allow_tls = tls; + return 0; +} + +int +nbd_unlocked_set_uri_allow_local_file (struct nbd_handle *h, bool allow) +{ + h->uri_allow_local_file = allow; + return 0; +} diff --git a/lib/internal.h b/lib/internal.h index 435cd36..50c0a9b 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -76,6 +76,11 @@ struct nbd_handle { bool request_sr; char **request_meta_contexts; + /* Allowed in URIs, see lib/uri.c. */ + uint32_t uri_allow_transports; + int uri_allow_tls; + bool uri_allow_local_file; + /* Global flags from the server. */ uint16_t gflags; diff --git a/lib/uri.c b/lib/uri.c index b3dfe7d..704641c 100644 --- a/lib/uri.c +++ b/lib/uri.c @@ -216,6 +216,24 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) goto cleanup; } + /* Check the transport is allowed. */ + if ((transport == tcp && + (h->uri_allow_transports & LIBNBD_ALLOW_TRANSPORT_TCP) == 0) || + (transport == unix_sock && + (h->uri_allow_transports & LIBNBD_ALLOW_TRANSPORT_UNIX) == 0) || + (transport == vsock && + (h->uri_allow_transports & LIBNBD_ALLOW_TRANSPORT_VSOCK) == 0)) { + set_error (EPERM, "URI transport %s is not permitted", uri->scheme); + goto cleanup; + } + + /* Check TLS is allowed. */ + if ((tls && h->uri_allow_tls == LIBNBD_TLS_DISABLE) || + (!tls && h->uri_allow_tls == LIBNBD_TLS_REQUIRE)) { + set_error (EPERM, "URI TLS setting %s is not permitted", uri->scheme); + goto cleanup; + } + /* Parse the socket parameter. */ for (i = 0; i < nqueries; i++) { if (strcmp (queries[i].name, "socket") == 0) @@ -239,9 +257,16 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) /* Look for some tls-* parameters. XXX More to come. */ for (i = 0; i < nqueries; i++) { - if (strcmp (queries[i].name, "tls-psk-file") == 0 && - nbd_unlocked_set_tls_psk_file (h, queries[i].value) == -1) - goto cleanup; + if (strcmp (queries[i].name, "tls-psk-file") == 0) { + if (! h->uri_allow_local_file) { + set_error (EPERM, + "local file access (tls-psk-file) is not allowed, " + "call nbd_set_uri_allow_local_file to enable this"); + goto cleanup; + } + if (nbd_unlocked_set_tls_psk_file (h, queries[i].value) == -1) + goto cleanup; + } } /* Username. */ diff --git a/tests/connect-uri.c b/tests/connect-uri.c index 9eb34d1..6e7d168 100644 --- a/tests/connect-uri.c +++ b/tests/connect-uri.c @@ -73,6 +73,8 @@ main (int argc, char *argv[]) exit (77); } + nbd_set_uri_allow_local_file (nbd, true); + if (nbd_connect_uri (nbd, URI) == -1) { fprintf (stderr, "%s\n", nbd_get_error ()); exit (EXIT_FAILURE); -- 2.23.0
Eric Blake
2019-Nov-04 19:26 UTC
Re: [Libguestfs] [PATCH libnbd] api: Allow NBD URIs to be restricted.
On 10/20/19 6:06 AM, Richard W.M. Jones wrote:> New APIs are added which let you enable or disable features of NBD > URIs, mainly for security reasons. > > tls-psk-file is *disabled* by default for obvious security reasons. > All other features are enabled by default. > ---> @@ -1445,6 +1453,75 @@ C<\"qemu:dirty-bitmap:...\"> for qemu-nbd > see_also = ["L<nbd_block_status(3)>"]; > }; > > + "set_uri_allow_transports", { > + default_call with > + args = [ Flags ("mask", allow_transport_flags) ]; ret = RErr; > + permitted_states = [ Created ]; > + shortdesc = "set the allowed transports in NBD URIs"; > + longdesc = "\ > +Set which transports are allowed to appear in NBD URIs. The > +default is to allow any transports.'any transport.'> + > +The C<mask> parameter may contain any of the following flags > +ORed together: > + > +=over 4 > + > +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> > + > +=back"; > + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; > + };Worth L<nbd_get_uri_allow_tls(3)> to query the current permitted transports? Similar for other new set_ APIs.> + > + "set_uri_allow_tls", { > + default_call with > + args = [ Enum ("tls", tls_enum) ]; ret = RErr; > + permitted_states = [ Created ]; > + shortdesc = "set the allowed TLS settings in NBD URIs"; > + longdesc = "\ > +Set which TLS settings are allowed to appear in NBD URIs. The > +default is to allow either non-TLS or TLS URIs. > + > +The C<tls> parameter can be: > + > +=over 4 > + > +=item C<LIBNBD_TLS_DISABLE> > + > +TLS URIs are not permitted, ie. a URI such as C<nbds://...> > +will be rejected. > + > +=item C<LIBNBD_TLS_ALLOW> > + > +This is the default. TLS may be used or not, depending on > +whether the URI uses C<nbds> or C<nbd>. > + > +=item C<LIBNBD_TLS_REQUIRE> > + > +TLS URIs are required. All URIs must use C<nbs>.C<nbds>> +=item Connect to Unix domain socket in the local filesystem > + > +Default: allowed > + > +To prevent this you must disable the C<+unix> transportIs the + in C<+unix> intentional? Otherwise looks like a good addition. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Maybe Matching Threads
- [PATCH libnbd] api: Allow NBD URIs to be restricted.
- [PATCH libnbd] api: Allow NBD URIs to be restricted.
- Re: [PATCH libnbd 9/9] FOR DISCUSSION ONLY: api: Add ‘allow’ parameter to nbd_connect_uri to control permitted URIs.
- Re: [PATCH libnbd 9/9] FOR DISCUSSION ONLY: api: Add ‘allow’ parameter to nbd_connect_uri to control permitted URIs.
- [PATCH libnbd 9/9] FOR DISCUSSION ONLY: api: Add ‘allow’ parameter to nbd_connect_uri to control permitted URIs.